The MailVault FAQ

by J. Orlin Grabbe

[Note: this FAQ only applies to the new MailVault being beta-tested August 2001.]

What is MailVault?

MailVault is a web-based email system intended to make it easy to send and receive
encrypted or unencrypted email and to communicate using anonymous email pseudonyms.

How does MailVault relate to other Laissez Faire City products?

Laissez Faire City is committed to developing a privacy infrastructure which will allow individuals
and entities to operate in the freedom of cyberspace outside the confines of the traditional
nation-state.

To achieve sovereignty, individuals need private and secure communication,
private and secure financial transactions, and a capital-raising mechanism to finance their
endeavors.

In this context, MailVault is a service making available private and secure
communication.

Why isn't my email already private?

Email that is sent in plain (ordinary) text across the Internet can be read by many different
partiesif they make the effort to do so. One of these may be your local Internet Service
Provider (ISP). He may be curious or may have been forced to install Carnivore by the FBI.

Carnivore is a software program that scans email for anything the FBI is interested in. The FBI
is the domestic political police arm of the U.S. governmentrenowned for covering up
government crimes, and fabricating evidence against anyone the U.S. government designates as
a threat to itself.

Other countries and agencies have similar email surveillance programs.

Unencrypted email can also be read at any of the router nodes that send your email packets along their
way across the Internet.

Equally important is how and where you store your email. It is now common in U.S.
court cases, for example, to subpoena the email of defendants in everything from divorce
proceedings to political and financial fishing investigations.

How does MailVault protect my privacy?

First, when you connect to the MailVault mail server, the connection is encrypted, using an
encryption standard for connecting web browsers to web servers called SSL. (MailVault
requires your browser to have the capability to do 128-bit SSL encryption.)

Thus, no one can see what email messages you download to your computer, or send to
MailVault. Neither can they see your MailVault email identity.

If your MailVault identity is "nobody@MailVault.com", then you can download your email from
anywhere in the world over the Internet, without anyone being able to easily associate your real
identity with this MailVault email address.

Second, MailVault makes it easy to encrypt email messages before they are sent across the
Internet from the MailVault server, or to decrypt encrypted messages received in your
MailVault mailbox.

For this, MailVault uses an encryption standard called PGP ("Pretty Good Privacy"). With
MailVault you can create PGP public-private key pairs, and also import public PGP keys, or
export them to other applications. That means you can send PGP-encrypted email to, and
receive PGP-encrypted email from, people who are not customers of MailVault.

Finally, MailVault is a place to securely store email (depending on limitations of space). A
secure storage area is important to people who use Internet cafes, or who do not wish to store
email on their work or home computer, where the email addresses of their correspondents would
be readily observable.

What is the relationship between the new MailVault and previous versions of MailVault?

Essentially, none whatsoever. DMT neither administers nor supports the use of previous
versions of MailVault, nor do we recommend the use of products that don't meet the requisite
computer security requirements. That includes Hotmail, HushMail, ZipLip, and the Dodge City
Nym-to-Nym server.

How do I get a MailVault account?

There are various ways. A basic level of service will be available for free. An enhanced level of
service comes with a combination package which includes a Cybercorporation, a
MailVault account, and an
ALTA account.
(Laissez Faire City Founders automatically receive all these initially for free.)

Business details are subject to change, and are not properly included here. But watch the
Laissez Faire City Times web site for a link
soon to sign up for the new MailVault.

Are there any restrictions on my use of MailVault?

Yes. We are committed to anonymity and privacy, but this commitment includes an expectation
of personal responsibility and morality. MailVault shall not be used to make threats of violence,
or to engage in frauds or scams. Additionally, MailVault shall not be used to send spam; or to
send, receive, or store child pornography. Finally, the MailVault server will not permit
connections from a .gov or .mil domain name. (If you are a slave of
the nation-state, then humbly beseech your masters to provide you with private email.)

Can you tell me something about the bolts and hinges of MailVault?

Here is a brief outline, along the lines of the old spiritual which goes "the head bone is connected
to the neck bone, the neck bone is connected to the back bone" etc.

When you use your web browserOpera, say, or Netscape Navigator or
Internet Explorer to login to the MailVault Apache web server running on
Linux, your browser and the web server negotiate an encryption key for this session. The key
is used to set up an encrypted channel between your browser and the web server.
Communication (as well as the just mentioned key negotiation) follows a security protocol called
SSL(www.openssl.org).

After the encrypted channel is set up, you will see the MailVault web pages, which were
written in an HTML embedded scripting language called PHP(www.php.net).

The first thing you may want to do is check your email. When the web server receives this request,
it talks to the mail server, which sends, receives, and stores email. The MailVault mail
server is one called qmail
(qmail.valueclick.com/top.html), which is a secure mail transfer agent. Qmail was written
as a substitute for the Sendmail client often included with Unix/Linux, because Sendmail had
too many security problems.

Qmail sends, receives, and stores email. When you write an email and send it to the web server,
it forwards it to qmail which puts it in a queue for forwarding on its way across the Internet. The
email is forwarded after a short random time interval. The time delay is intended to help prevent
traffic analysis. (If some agency had the resources to know that you sent an email at
10:43:31, and an email emerged from the MailVault server a few seconds later, it could, by
correlation, learn to associate your real identity with the email address of your correspondents.)

Of course, the central purpose of MailVault is to make it easy to send and receive encrypted
email, to import and export keys, and to operate under different email identities or nyms. For
this purpose there are three additional pieces to MailVault  a client database, a
key server, and a crypto engine. In short, the client database keeps client info
such as passwords, the keyserver keeps PGP public keys, and the crypto engine encrypts and
decrypts email.

When you first login to MailVault, you enter a Username and Password. These are checked in
the client database against a validation list. Associated with your login Username are various
email aliases  email names you may wish to use for Internet correspondence.

The web server and the client database talk to each other using a language and protocol called
XML-RPC(www.xmlrpc.com). (For those who care, XML
 eXtensible Markup Language
[www.w3.org/xml/]  is the practical subset
of SGML, or Standard General Markup Language
[www.w3.org/sgml/], of which
the world-wide web's HTML is one example; RPC is Remote Procedure Call
 a way for different computer processes or applications, even ones that are running on
different computers using different operating systems, to call each other's parameters and
procedures  each other's variables, subroutines, functions, processes, etc.)

When you indicate your wish to encrypt an outgoing email, you click the appropriate button in
MailVault. Instead of sending your email immediately to qmail, the MailVault web server instead
sends it first to the crypto engine. The web server and the crypto engine also talk to each other
using XML-RPC, described previously. Now, just as there is secure communication between
your web browser and the web server, so is there secure communication between the web server
and the crypto engine. Your email is automatically encrypted all the way from your web browser
to the crypto engine. There the crypto engine turns your email back into plain text in order to
PGP encrypt it. It then sends the PGP-encrypted message back to the web server, which sends
it to qmail for forwarding.

When the crypto engine encrypts email to one of your correspondents, it must use that
correspondent's public key. The crypto engine goes to the keyserver to get it. The
keyserver uses PGP Public Key Server software written by Marc Horowitz of MIT
(www.mit.edu/people/marc/pks/pks.html).

PGP private keys are stored in a separate keyserver database running on software developed
in-house by DMT and Laissez Faire City. The crypto engine accesses a private key when
it is necessary to decrypt a PGP-encrypted email sent to a MailVault client, or to PGP-sign
an outgoing email.